b'THE DEPARTMENT\'S UNCLASSIFIED\n CYBER SECURITY PROGRAM 2002\n\n\n\n\n         SEPTEMBER 2002\n\x0c                               Department of Energy\n                                   Washington, DC 20585\n                                    September 9, 2002\n\n\n MEMORANDUM FOR\n\n FROM:\n                          Inspector General\n\n SUBJECT:                 INFORMATION: Evaluation Report on "The Department\'s\n                          Unclassified Cyber Security Program 2002"\n\n\n\n\nAs agencies strive to meet the President\'s goal of significantly increasing electronic\ngovernment, the potential for disruption or damage to critical systems by malicious users\ncontinues to increase. In response to increasing threats to the Government\'s computer\nnetworks and systems, Congress enacted the Government hformation Security Reform\nAct (GISRA) in October 2000. GISRA focuses on program management,\nimplementation, and evaluation of the security of unclassified and national security\ninformation. It requires agencies to conduct annual reviews and evaluations of\nunclassified and classified computer security programs.\n\nThe Department of Energy is continuously expanding its networks and systems and will\ninvest about $1.2 billion in information technology this year. This investment spans\nvirtually all Department activities and includes systems dedicated to financial and\nperformance management, as well as those devoted to specific mission areas. The\nDepartment also maintains a number of high-speed, nationwide networks detiic,ttcd to\nbusiness processing and unclassified scientific research. As required by GISRA and\nOffice of Management and Budget implementing guidance, the Office of Inspector\nGeneral perfomled its second annual evaluation to determine whether the Department\'s\nunclassified cyber security program protected data and information systems.\n\nRESULTS OF AUDIT\n\nThe Department had taken a number of positive steps to improve its unclassified cyber\nsecurity program since our last review, but many of its critical information systems were\nstill at risk. Cyber protection efforts were hampered by weaknesses in program\nmanagement, planning, and execution. Specifically, we noted that the Department had\nnot:\n\n           Consistently implemented a risk-based cyber security approach;\n           Assured continuity of operations through adequate contingency and disaster\n           recovery planning;\n\n\n\n\n                              @    Pr~ntedw ~ t hsoy ~ n on\n                                                         k recycled papel\n\x0c             Strengthened its incident response capability by reporting all computer\n             incidents;\n             Ensured that employees with significant security responsibilities had received\n             adequate training; and,\n             Adequately addressed configuration management and access control\n             problems.\n\n We found that the Department had not sufficiently strengthened its cyber security policy\n and guidance, implemented a cyber security performance measurement system, or\n established an effective self-assessment program. As a result, the critical systems were at\n risk of unauthorized or malicious use. Furthermore, the potential existed for compromise\n of sensitive operational and personnel-related data.\n\nIn conducting our audit, we were mindful that many Federal and contractor personnel\nthroughout the Department have worked tirelessly to advance the state of cyber security\nprotections and to ensure that the Department\'s information technology assets are\nsafeguarded. That we noted various compliance issues, as described in our report, in no\nway diminishes the diligence and professionalism with which these efforts have been\nundertaken. In this vein, we noted a number of positive steps taken to strengthen the\ncyber security program. In late 2001, the Department enhanced the stature of the Office\nof the Chief Information Officer (CIO) by organizing it as an independent office with a\ndirect reporting relationship to the Deputy Secretary. Additionally, actions were taken to\nimprove information technology capital planning. The CTO had also developed a\ncomprehensive database to track the status of cyber security weaknesses identified by\nvarious reviews and evaluations.\n\nMANAGEMENT REACTION\n\nManagement concurred with the findings and recommendations but did not believe that\nthe recommendation to develop and finalize detailed cyber security policy and guidance\nwas supported by the report\'s finding. Specifically, Management stated that\nvulnerabilities disclosed in the report resulted from weak or nonexistent compliance with\nexisting policy at some sites rather than policy weaknesses. Management\'s comments\nare included in their entirety beginning at page 19.\n\nIn our view, strengthened policy and guidance is required. For example, the Department\nhas not developed policies on the deployment of wireless networks or measures to\nminimize the risk associated with remote access to networks and systems. Furthermore,\nthe Department had not formally approved an updated cyber security management\nprogram directive and guidance on configuralion management and system certification\nand accreditation. Finally, Lve believe the repeat occurrence of many findings from the\nprevious year requires a review to the sufficiency of existing policy.\n\n\nAttachment\n\x0cTHE DEPARTMENT\'S UNCLASSIFIED CYBER SECURITY\nPROGRAM 2002\n\nTABLE OF\nCONTENTS\n\n\n\n               Overview\n\n                Introduction and Objective. ......................................................... 1\n\n               Conclusions and Observations ...................................................\n                                                                                            2\n\n\n               Unclassified Cyber Security Proqram Weaknesses\n\n               Details of Finding ....................................................................... 4\n\n               Recommendations and Comments .......................................... 11\n\n\n               Appendices\n\n               1. Scope and Methodology ..................................................... 13\n\n               2. Related Office of Inspector General and General\n                  Accounting Office Reports .................................................. 15\n\n               3. Related Office of Independent Oversight and\n                  Performance Assurance Reports ........................................ 18\n\n               4. Management Comments ..................................................... 19\n\x0cOverview\n\nINTRODUC\'TION AND       The protection of cyber related critical infrastructure is essential to a\nOBJECTIVE               strong homeland defense and has become a national priority. As\n                        agencies focus on satisfying the President\'s Management Agenda\n                        initiative of expanding electronic government, the potential for\n                        disruption or damage to mission critical\' systems by malicious users\n                        continues to increase. Because of the extent of network\n                        interconnectivity across the Department of Energy (Department) and\n                        the increased i:3:cessibility of systems via the Internet, the risk of\n                        compromise o i multiple systems is high. As we noted in our report on\n                        Management Challenges at the Department ofEnergy (DOEIIG-0538,\n                        December 2001), cyber security continues to be a significant issue\n                        facing the Department.\n\n                    The Department continues to expand its networks and systems and\n                    expects to invest about $1.2 billion in information technology during\n                    Fiscal Year (FY) 2002. This substantial investment supports the\n                    development and maintenance of diverse information systems used to\n                    meet day-to-day mission requirements such as financial, stockpile\n                    stewardship, security, and research activities. In addition to these\n                    applications, the Department maintains a number of high-speed,\n                    nationwide networks dedicated to business processing and unclassified\n                    scientific research. Under the Department\'s current management\n                    structure, the Office of Security is responsible for the development of\n                    cyber security policy; the Chief Information Officer (CIO) monitors\n                    implementation and issues related guidance; and program officials are\n                    responsible for deploying protective measures for systems under their\n                    control.\n\n                    In response to the increasing threat to computer networks and systems\n                    from both domestic and international sources, Congress enacted the\n                    Government Information Security Reform Act (GISRA) in\n                    October 2000. Generally, GISRA codified existing policies and\n                    regulations and reiterated security responsibilities outlined in the\n                    Computer Security Act of 1987 and the Clinger-Cohen Act of 1996.\n                    GISRA focuses on program management, implementation, and\n\n\n\n\n                    \' The Department had not developed a complete inventory of mission critical systems.\n                    In the absence of such an inventory, we considered a system to be mission critical if.\n                    in our opinion, it met the definition found in Section 3532(b)(2)(C), GISRA, i.e., if it\n                    "processes any information, the loss, misuse, disclosure, or unauthorized access to or\n                    modification of ivould have a debilitating impact on the mission of any agency."\n\n                                                                        Introduction andobjective\n\x0c                   evaluation aspects of the security of unclassified and national security\n                   information and requires agencies to conduct annual agency program\n                   reviews and independent evaluations of both unclassified and classified\n                   computer security programs.\n\n                  As required by GISRA and the Office of Management and Budget\n                  (OMB) implementing guidance, the Office of Inspector General (OIG)\n                  performed its second annual evaluation to determine whether the\n                  Department\'s unclassified cyber security program protected data and\n                  information systems.\n\n\nCONCLUSIONS AND   While the Department had taken a number of positive steps to improve\nOBSERVATIONS      its unclassified cyber security program, many of i ts critical information\n                  systems remained at risk. Cyber protection efforts continued to suffer\n                  from program management, planning, and execution weaknesses. As\n                  with our initial review, we noted the Department had not:\n\n                          Consistently implemented a risk-based cyber security approach;\n\n                          Assured continuity of operations through adequate contingency\n                          and disaster recovery planning;\n\n                          Strengthened its incident response capability by reporting all\n                          computer incidents;\n\n                          Ensured that employees with significant security responsibilities\n                          had received adequate training; and,\n\n                         Adequately addressed configuration management and access\n                         control problems.\n\n                  These vulnerabilities existed because the Department had not\n                  strengthened its cyber security policy and guidance, implemented a\n                  cyber security p e r f o m c e measurement system, and established an\n                  effective self-assessment program. Persistent problems placed the\n                  Department\'s critical systems at risk of unauthorized or malicious use\n                  and increased the potential for compromise of sensitive operational and\n                  personnel-related data.\n\n\n\n\nPage 2                                                   Conclusions and Observations\n\x0c          While much remains to be done, the Department had taken a number of\n          positive, incremental steps in an effort to strengthen its cyber security\n         program. Most notably, in late 200 1, the Department enhanced the\n          stature of the Office of the CIO by organizing it as an independent\n         office with a direct reporting relationship to the Deputy Secretary.\n         Furthermore, the Department had instituted actions designed to improve\n         its information technology capital planning process by ensuring that\n         cyber security is addressed during the budget process. In addition,\n         several sites had strengthened external protections and implemented\n         proactive network testing and monitoring programs. The Office of the\n         CIO had also developed a Plan of Action and Milestones database to\n         track the status of cyber security weaknesses identified by various\n         reviews and evaluations. While program improvements have occurred,\n         additional work in policy development and implementation is neci.:r.;clry\n         to ensure that critical information technology resources are adequately\n         protected.\n\n         Due to security considerations, information on specific vulnerabilities\n         and locations has been omitted from this report. Management officials\n         at the sites evaluated have been provided with detailed information\n         regarding identified vulnerabilities, and in some instances, have\n         initiated corrective actions.\n\n         Management should consider the issues discussed in this report when\n         preparing the yearend assurance memorandum on internal controls.\n\n\n\n\n                                       "0ffic;\n                                                               u,\n                                                  of Inspector i:l;e~leral\n\n\n\n\nPage 3                                           Conclusions and Observations\n\x0c Unclassified Cyber Security Program Weaknesses\n\nSystems and Data      As with our FY 2001 evaluation, we noted problems with risk\nRemain at Risk        management, continuity of operations, incident reporting, training,\n                      configuration management, and access controls.\n\n                                                  Risk Management\n\n                     The Department had not consistently implemented a life cycle approach\n                     to identifying cyber security related risks and vulnerabilities for many\n                     of the networks and mission critical systems evaluated. Network and\n                     system level security plans had either not been prepared or were\n                     inadequate. We analyzed nine mission-critical systems for the\n                     adequacy of their security plans. Notably, system specific security\n                     plans that analyzed risks and security vulnerabilities such as those\n                     associated with attacks by hostile or terrorist supporting nations had not\n                     been developed for any of the mission critical systems evaluated.\n                     Site-wide cyber security program plans continued to omit specific risks\n                     to key systems and the controls necessary to mitigate them.\n                     Furthermore, the Department did not require the Office of the CIO to\n                     review updated site cyber security program plans to determine whether\n                     they adequately addressed known risks.\n\n                     In addition, the Department was unable to determine its risk of\n                     exposure to attack by malicious entities because it had not developed an\n                     inventory of its networks and systems. As we noted in our FY 2001\n                     evaluation, an inventory of networks and systems is an essential\n                     element of Information Technology (IT) governance and is necessary to\n                     identify applicable risks and vulnerabilities. Although the Department\n                     had begun a process to identify and prioritize its critical assets in 2001,\n                     the effort remained largely incomplete. As reported in Cyber-Related\n                     Critical Infrustructure Ideiitlficution and Protection Measures (DOE/\n                     IG-0545, March 2002), the Department had not finalized the\n                     identification of national priority assets and the specific identification of\n                     critical cyber-related assets had not begun.\n\n                                              Continuity of Operations\n\n                     Eleven of 24 organizations evaluated had not implemented procedures\n                     to enable them to recover quickly from a security-related system failure\n                     or disruption of critical services. Consistent with our FY 2001\n                     evaluation, we noted that site-wide and application-specific continuity\n                     of operations plans had not been developed, were outdated, were\n\n\n\n\nPage 4                                                                      Details of Finding\n\x0c          missing critical elements, or had never been tested for viability.\n          Problems with such planning expose the Department to the risk that it\n          would be unable to restore critical networks and information systems or\n          maintain continuity of operations in the event of a successful attack.\n\n                                     Incident Reporting\n\n          The Department lacked information necessary to adequately manage its\n          network intrusion threat because of problems with incomplete reporting\n          of cyber security incidents. Even though the Department had taken\n          action designed to improve reporting, divergent interpretations of DOE\n          Notice 205.4, Handling Cyber Security Alerts and Advisories and\n          Reporting Cyber Security Incidents (March 2002) limited the\n          effectiveness of the effort. For example, even though the Notice\n          established a central point of contact for incident reporting and\n          dissemination of cyber security information, it permitted sites wide\n          latitude in deciding which incidents to report. The ability to compile\n          and analyze trend data was limited because organizations were only\n         required to report incidents that they deemed significant. In addition,\n         the Department did not require negative reporting, a method for\n         ensuring that organizations considered, and did not simply ignore,\n         reporting requirements. A Department official noted that, as a\n         consequence, a few sites that have installed automated reporting\n         equipment reported many incidents, while others reported nothing.\n         Without stronger and more consistent reporting requirements, the\n         Department cannot draw meaningful conclusions as to the effectiveness\n         of its overall intrusion detection capability and may be depriving other\n         Federal entities such as the Federal Computer Incident Response Center\n         (FedCIRC) or the National Infrastructure Protection Center of\n         important trend data.\n\n                                         Training\n\n         Various organizations within the Department offered cyber security\n         training, but no means had been devised to readily obtain information\n         on the number and duties of those attending training, the type of\n         training received, and the overall cost. For example, the Office of the\n         CIO tracked individual attendance for courses it funded, but did not\n         maintain data on program or site level training. Furthermore, cyber\n         security training was not tracked at two of the sites we visited. Also,\n\n\n\n\nPage 5                                                        Details of Finding\n\x0c          the Department had not developed a core cumculum for those with\n          significant security responsibilities, but had established a FY 2003\n          performance goal to complete such standards.\n\n                                Configuration Management\n\n          We continued to observe unnecessary network services and problems\n          caused by not correcting known software vulnerabilities on\n          workstations, servers, and on other devices such as network routers.\n          Certain organizations had strengthened network perimeter defenses\n         through improvements in firewall deployment, but others continued to\n         maintain unneeded network access points. For example, our testing\n         revealed that three sites had open ports on firewalls that could\n         potentially allow unauthorized access to network resources. We also\n         found that five sites permitted unnecessary or improperly secured\n         remote access and file transfer services that could permit unauthorized\n         access and anonymous remote logins. The risk of malicious or\n         unauthorized users exploiting such vulnerabilities to gain unauthorized\n         access was exacerbated by the fact that software tools installed at\n         several sites did not permit the auditing and monitoring of unusual\n         system activity or unsuccessful attempts to access the system over a\n         period of time. While some sites had implemented such protections,\n         they were not completely effective because the audit logs were not\n         regularly reviewed.\n\n         Certain sites were also not properly maintaining systems and\n         application software. For example, we found that five of the sites\n         evaluated continued to use outdated versions of application and\n         operating system software with known vulnerabilities despite frequent\n         warnings and advisory bulletins by the Department\'s Computer Incident\n         Advisory Capability. Additionally, several sites had not developed\n         documented procedures for consistently evaluating, installing, and\n         documenting patches and upgrades to systems and applications. At one\n         site, we found several instances where the improper installation of\n         software updates overwrote and rendered ineffective previously\n         installed security patches.\n\n         Sites had also not established controls to ensure software changes were\n         performed in a structured and controlled manner. Six sites lacked\n         formal documented procedures for software change controls.\n         Mitigating controls to prevent or detect improper changes to systems\n\n\n\n\nPage 6                                                        Details of Finding\n\x0c          software were also not enforced at all sites. For example, at four sites\n          activity logs were not monitored to prevent or detect unauthorized\n          software changes. In addition, segregation of incompatible duties was\n          not enforced at four of tlze sites evaluated and programmers had the\n          ability to make unauthorized changes to systems software without\n          management review and concurrence. At one site, a single user had the\n          ability to both input and validate information in a system by using two\n          separate login identifications.\n\n                                      Access Controls\n\n         Weak access controls and poor password management coi~tinueto be\n         problems at certain sites. For instance, six sites did not employ strong\n         password controls to minimize the risks associated with exploits such as\n         automated guessing or "cracking" programs. Several sites permitted the\n         use of vendor\'s default passwords and at one site management accepted\n         off-the-shelf parameters that did not meet the Department\'s password\n         requirements. We also found instances where account access was\n         allowed without passwords, including administrator accounts that could\n         be used to access multiple servers. Additionally, several sites did not\n         require passwords to be changed at fixed intervals. Furthemlore, an\n         important control designed to prevent "brute force" access through\n         password guessing -- account lockout after numerous incorrect login\n         attempts -- had not been activated at two of the sites evaluated.\n\n         As noted in last year\'s evaluation, several sites had not developed or\n         enforced procedures to guide them in granting or removing access to\n         systems and computer facilities. For example, at least two sites did not\n         periodically review user needs to ensure that access was still required\n         and that it was limited to current job requirements. At one site, 37 users\n         had administrator access accounts on which the password was set to\n         "never" expire. These accounts also were not regularly reviewed to\n         determine whether the special access privileges were still necessary.\n         We found instances where system access of terminated and temporary\n         personnel was not removed in a timely manner. For example, one\n         former employee still had system administrator privileges over six\n         months after leaving the Department in November 200 1 . Another site\n         did not remove system access granted to temporary employees if they\n\n\n\n\nPage 7                                                         Details of Finding\n\x0c                            were expected to return later. In addition, at two sites we noted that\n                            each had about 100 employees with access to the computer facilities.\n                            However, over one-third of the employees sampled did not have job\n                            responsibilities that required access.\n\n                            We also observed that a number of sites permitted users to remotely\n                            access networks without adequate protective measures. Departmental\n                            policy did not prescribe specific protective measures for remote access\n                            and methods used varied widely. Specifically, programs or sites we\n                            evaluated had not considered the risk associated with remote access\n                            when preparing cyber security plans, developed specific guidance for\n                            remote access security, or required protective measures such as\n                            personal firewalls and virus protection software.\n\nProtection of Information   GJSRA requires that each agency develop and implement an agency-\nResources                   wide cyber security program, consisting of policies, procedures, and\n                            control techniques, sufficient to protect information systems supporting\n                            agency operations and assets. GISRA focuses on program\n                            management, implementation, and evaluation aspects of the security of\n                            unclassified and national security information. It requires agencies to\n                            adopt a risk-based, life cycle approach to improving computer security\n                            and requires annual agency information security program reviews and\n                            independent evaluations of both unclassified and classified computer\n                            security programs. Specifically, GISRA requires:\n\n                                   Periodic risk assessments that consider internal and external\n                                   threats to the integrity, confidentiality, and availability of\n                                   systems and data;\n\n                                   Policies and procedures that are based on risk assessments that\n                                   cost-effectively reduce information security risks to an\n                                   acceptable level;\n\n                                   Adequate training of staff responsible for cyber security;\n\n                                   Cyber security awareness training for agency personnel;\n\n                                   Periodic management testing and evaluation of the effectiveness\n                                   of the program;\n\n                                  A process for ensuring remedial action to address significant\n                                  deficiencies; and\n\n                                  Procedures for detecting, reporting, and responding to cyber\n                                  security incidents.\nPage 8                                                                           Details of Finding\n\x0c Program Design and    Persistent cyber security vulnerabilities existed because the Department\n Implementation        had not strengthened related policy and guidance, implemented a cyber\n                       security performance measurement system, and established an effective\n                       self-assessment program.\n\n                                         Cyber Security Policy and Guidance\n\n                       Despite a lengthy effort, the Department had not updated or\n                       strengthened cyber security policy and related implementing guidance.\n                       An updated cyber security management program directive and guidance\n                       on configuration management and the system certification and\n                       accreditation program had been drafted, but they had not been formally\n                       approved or implemented. Updates of existing policy and guidance are\n                       of critical importance to establishing an effective feedback loop that\n                       tracks changes in technology and takes advantage of the work\n                      performed by various oversight groups. For example, while the uses\n                       and risks associated with wireless networks have become widely\n                      known, the Department had not developed policy regarding their\n                      deployment. As we noted in our draft report on Remote Access\n                      Security, specific policy or guidance to minimize the risk associated\n                      with remote access to networks and systems had not been issued.\n                      Guidance to address issues described in our FY 2001 evaluation and in\n                      previous audit reports such as problems with risk management, a\n                      lifecycle approach to security management, and security personnel\n                      training had also not been provided.\n\n                                             Performance Measurement\n\n                      The Department had developed certain cyber security-related\n                      performance goals, yet it had not been successful in deploying a metric\n                      system needed to measure progress toward reaching those goals. As\n                      noted in our prior evaluation, the Office of the C10 designed a Cyber\n                      Security Metrics Program to satisfy the requirements of the\n                      Government Performance and Results Act of 1993 (GPRA). Despite\n                      significant effort, the C10 was unable to gain consensus or support\n                      from various program elements and the system was never deployed. A\n                      CIO official told us that the proposed metrics system had been\n                      redesigned to be consistent with OMB reporting guidance and it was\n                      anticipated that it would be finalized in the near future. Officials are\n                      hopeful that once completed, the metrics program will form the basis\n                      for monitoring the Department\'s overall cyber security performance.\n\n\n\n\nPage 9                                                                     Details of Finding\n\x0c                                                      Self-Assessments\n\n                         Despite GISRA requirements and OMB implementing guidance, the\n                         Department had not established an effective cyber security self-\n                         assessment program. Although specifically recommended in our\n                         FY 2001 evaluation, the Department did not require the implementation\n                         of the National Institute of Standards and Technology\'s (NIST) self-\n                         assessment methodology for assessing cyber security. While the\n                         Department endorsed the use of the methodology in April 2002, use\n                         was optional and organizations were not required to provide completed\n                         assessments to the CIO for review. Because the Department had not\n                         specified a template for conducting such activities, site or system self-\n                         assessments tended to vary greatly in their scope and the areas of cyber\n                         security reviewed. For example, one site had an assessment performed\n                         by an independent external reviewer while other sites performed no\n                         self-assessments or performed only limited self-assessments on specific\n                         aspects of their cyber security program. A review of comprehensive\n                         self-assessments based on NIST guidance could have helped\n                         Departmental entities identify cyber security program weaknesses and\n                         permitted the CIO and program managers to gauge the effectiveness of\n                         policy, guidance and protective measures.\n\nCyber Security Threats   The threat of compromise of critical information resources continues to\nContinue                 grow as the Department establishes additional web-based systems and\n                         increases network interconnections. External network scanning and\n                         probing activities being conducted by potential hackers continues to\n                         grow exponentially. According to sources such as FedCIRC, attempts\n                         and actual penetrations of government computer systems has greatly\n                         increased over the last year. These incidents included attempted and\n                         successful intrusions, compromises, web defacements, denial of service\n                         events, virus and malicious code, scans and probes, misuse, and\n                         misconfiguration. The failure to properly protect networks and systems\n                         and take prompt corrective action on identified weaknesses increased\n                         the risk of compromise or malicious damage of the Department\'s\n                         critical systems, some of which enable delivery of essential services to\n                         members of the public and other Federal agencies.\n\n                         Inadequate protective measures placed the Department\'s critical\n                         unclassified information systems at risk of attack from internal and\n                         external sources and could ultimately result in data tampering, fraud,\n                         disruptions in critical operations, and inappropriate disclosure of\n                         sensitive or Privacy Act information. A particularly noteworthy\n\n\n\n\nPage 10                                                                       Details of   ind ding\n\x0c                  example of the potential for harm was cited during a recent OIG\n                  investigation. The investigation disclosed that one of the Department\'s\n                  sites was the victim of 44 separate computer intrusions because it failed\n                  to correct a known security vulnerability. Specifically, the site ignored\n                  warnings by local security officials and the Department\'s Computer\n                  Incident Advisory Capability that a particular network component was\n                  vulnerable to a popular attack and should be patched "as soon as\n                  possible." Between 700 and 800 hours of effort were required to\n                  restore the systems because of this single failure.\n\n\nRECOMMENDATIONS   To improve cyber security within the Department, we recommend that:\n\n                  1. The Office of Security, in conjunction with the Chief Information\n                      Officer and the National Nuclear Security Administration:\n\n                             Develop and finalize detailed cyber security policy and\n                             guidance;\n\n                             Implement a periodic policy review process to ensure that\n                             policy and related guidance are updated to reflect changes in\n                             technology and the results of reviews performed by\n                             oversight organizations; and,\n\n                            Complete implementation of a cyber security metrics\n                            program to measure the effectiveness of policy, guidance,\n                            and protective measures.\n\n                  2. The Chief Information Officer design and monitor the\n                     implementation of a structured, program-level cyber security\n                     assessment program based on the NIST guidance documents; and,\n\n                  3. The Under Secretary for Energy, Science and Environment and the\n                     Administrator, National Nuclear Security Administration require\n                     each line organization to promptly correct the cyber security\n                     weaknesses identified in this report.\n\n\n\n\nPage 11                                            Recommendations and Comments\n\x0c MANAGEMENT REACTION   Management concurred with the findings and recommendations.\n                       Although management agreed that new and improved cyber security\n                       policy would strengthen protection of cyber assets, it did not believe\n                       that the recommendation to develop and finalize detailed cyber security\n                       policy and guidance was supported by the report\'s finding. Specifically,\n                       management believed that vulnerabilities disclosed in the report\n                       resulted from weak or nonexistent compliance with existing policy at\n                       some sites rather than policy weaknesses.\n\n                       Management cited a number of actions already underway to address the\n                       report\'s recommendations, including progress towards developing a\n                       new performance metrics program and a program to improve awareness\n                       and utilization of the NIST Self-Assessment tool. Management\'s\n                       con~mentsare included in their entirety beginning on page 19.\n\n\nAUDITOR COMMENTS       Management\'s comments are responsive to our recommendations.\n                       However, we believe that the report clearly demonstrates the need to\n                       strengthen policy and implementing guidance. For example, as we\n                       pointed out, the Department has not developed policies on the\n                       deployment of wireless networks or measures to minimize the risk\n                       associated with remote access to networks and systems. Furthermore,\n                       the Department had not formally approved an updated cyber security\n                       management program directive and guidance on configuration\n                       management and system certification and accreditation. Finally, we\n                       believe the repeat occurrence of many findings from the previous year\n                       requires a review to the sufficiency of existing policy.\n\n\n\n\nPage 12                                                Recommendations and Comments\n\x0cAppendix I\n\nSCOPE         Between March and August 2002, we performed a vulnerability\n              assessment of the Department\'s unclassified cyber security program.\n              Specifically, we assessed controls over network operations to determine\n              the effectiveness of access controls related to safeguarding information\n              resources fiom unauthorized internal and external sources. The\n              evaluation included a limited review of general and application controls\n              in areas such as entity-wide security planning and management, access\n              controls, application software development and change controls, and\n              service continuity. Our work did not include a determination of\n              wheiiicr vulnerabilities found were actually exploited and used to\n              circunlvent existing controls.\n\n\nMETHODOLOGY    We conducted the second annual evaluation of the Department\'s\n               unclassified cyber security program as required by GISRA. We\n               satisfied our evaluation objective by reviewing applicable laws and\n               directives pertaining to cyber security and information technology\n              resources, such as GISRA, OMB Circular A- 130 (Appendix 111), and\n              DOE Notice 205.1, and reviewing the Department\'s overall cyber\n              security program management, policies, procedures, and practices.\n              Selected Headquarters offices and field sites were evaluated in\n              conjunction with the annual audit of the Department\'s Consolidated\n              Financial Statements, utilizing work performed by KPMG LLP, the\n              OIG contract auditor. The evaluation included analysis and testing of\n              general and application controls for systems as well as vulnerability and\n              penetration testing of networks. To minimize duplication of effort, we\n              directly incorporated the results of other recent audits, evaluations, and\n              inspections performed by the OIG, the General Accounting Office, and\n              the Office of Independent Oversight and Performance Assurance in our\n              report.\n\n              We evaluated the Department\'s implementation of GPRA related to the\n              establishment of performance measures for unclassified cyber security.\n              We did not rely solely on computer-processed data to satisfy our\n              objectives. However, computer-assisted audit tools were used to\n              perform probes of various networks and devices. We validated the\n              results of the scans by confirming the weaknesses disclosed with\n              responsible on-site personnel and performed other procedures to satisfy\n              ourselves as to the reliability and accuracy of the data produced by\n\n\n\n\nPage 13                                                     Scope and Methodology\n\x0c          the tests. Because our evaluation was limited, it would not have\n          necessarily disclosed all internal control deficiencies that may have\n          existed.\n\n          The evaluation was conducted in accordance with generally accepted\n          Government auditing standards for performance audits and included\n          tests of internal controls and compliance with laws and regulations to\n          the extent necessary to satisfy the objectives. Accordingly, we\n          assessed internal controls regarding the development and\n          implementation of automated systems. Because our review was\n          limited, it would not necessarily have disclosed all internal control\n          deficiencies that may have existed at the time of our evaluation.\n\n          Department officials requested an exit conference. It will be scheduled\n          within two weeks of the issuance of this report.\n\n\n\n\nPage 14                                              Scope and Methodology\n\x0c Appendix 2\n\n          OFFICE OF INSPECTOR GENERAL AND GENERAL ACCOUNTING OFFICE\n                               RELATED REPORTS\n\n\n      Nuclear Materials Accounting Systems Modernization Initiative (DOEIIG-0556, June 2002). The\n      Department had not adequately managed its system redesign and modernization activities for\n      nuclear materials accounting systems. Planned and ongoing nuclear materials accounting systems\n      development activities were not always consistent with the Corporate Systems Information\n      Architecture.\n\n      Cyber-Related Critical Infrastructure Identrfication and Protection Measures (DOE/IG-0545,\n      March 2002). While the Department had initiated certain actions designed to enhance cyber\n      security, it had not made sufficient progress in identifying and developing protective measures for\n      critical infrastructures or assets. For example, the audit disclosed that the identification of national\n      priority assets had not been finalized and the specific identification of critical cyber-related assets\n      had not begun. Corrective actions to address issues disclosed by our previous audit of the\n      Department\'s infrastructure protection program were progressing slowly and remained incomplete.\n      For instance, specific, quantifiable infrastructure protection-related performance measures had not\n      been developed and the Department\'s critical infrastructure protection plan had not been updated.\n\n      The Department\'s Unclasszfied Cyber Security Program (DOEIIG-05 19, August 2001). While the\n     Department has made improvements in its unclassified cyber security program, the program did not\n      adequately protect data and information systems as required by GISRA. Specifically, we observed\n     problems with security program planning and management, including problems with risk\n     management, contingency planning, computer incident reporting, and training management.\n     Configuration management or access control problems also existed at many of the 24 sites\n     evaluated. Problems with design and implementation of cyber security policy, including a lack of\n     monitoring and specific, focused performance measures, contributed to these weaknesses and\n     adversely impacted the effectiveness of the entity-wide program. Observed weaknesses increased\n     the risk that critical systems, a number of which enable delivery of essential services to members of\n     the public and other Federal agencies, could be compromised or disabled by n~aliciousor\n     unauthorized users.\n\n     Evaluation of Classrfied Information Systems Security Program (DOEIIG-05 18, August 2001).\n     Overall, the evaluation of classified information systems was performed as required by GISRA.\n     Office of Independent Oversight and Performance Assurance\'s "Report on the Status of the\n     Department of Energy\'s Classified Information System Security Program" should provide the\n     Department with reasonable assurance that the processes of managing and controlling classified\n     information systems were independently evaluated.\n\n\n\n\nPage 15                                                                                    Related Reports\n\x0c      Integrated Planning, Accountability, and Budgeting System-Information System (DOEIIG-0509,\n      June 200 1). The Integrated Planning, Accountability, and Budgeting System-Information System\n      (IPABS-IS) was not integrated into the Department\'s Corporate Systems Information Architecture.\n      As a consequence, there were project management and security weaknesses in the development and\n      operation of IPABS-IS that impacted its ability to satisfy Department goals and meet users\'\n      information needs.\n\n      The Department of Energy\'s Implementation of the Clinger-Cohen Act of1996 (DOEIIG-0507,\n      June 200 1 ). While the Department had taken action to address certain IT related management\n      problems, it had not been completely successful in implementing the requirements of the Clinger-\n      Cohen Act of 1996. We attributed the problems identified, in part, to the Department\'s\n      decentralized approach to information technology management and oversight and the organizational\n      placement of the CIO.\n\n      Virus PI-otectionStrategies and Cyber Securify Incident Reporting (DOEIIG-0500, April 2001).\n      The Department\'s virus protection strategies and cyber security incident reporting methods did not\n      adequately protect systems from damage by viruses and did not provide sufficient information\n      needed to manage its network intrusion threat. These problems existed because the Department had\n      not developed and implemented an effective enterprise-wide strategy for virus protection and cyber\n      security incident reporting.\n\n     Fiscal Year 2000 Consolidated Financial Starements (DOEIIG-FS-01-01, February 200 1 ). The\n     report identified three reportable weaknesses in the Department\'s system of internal controls\n     pertaining to performance measure reporting, financial management at the Western Area Power\n     Administration, and unclassified information system security. Specifically, performance goals, in\n     many cases, were not output or outcome oriented andlor were not meaningful, relevant, or stated in\n     objective or quantifiable terms. The Department also had certain network vulnerabilities and\n     general access control weaknesses.\n\n     Internet Privacy (DOEIIG-0493, February 200 1 ). The Department\'s method of collecting data from\n     users of its publicly accessible web sites was not always consistent with Federal regulations.\n     Specifically, some web sites were collecting data by unapproved or undisclosed means and a\n     number of web sites did not display conspicuously located, clearly written privacy notices.\n\n     Implementation of Presidential Decision Directive 63, Critical Infrastrucrure Protection (DOEIIG-\n     0483, September 2000). While external energy sector infrastructure protection activities were\n     progressing and a number of internal and collateral actions had been completed, the Department had\n     not implemented its critical infrastructure protection plan to mitigate significant vulnerabilities, or\n     assure the continuity and viability of its critical infrastructures.\n\n\n\n\nPage 16                                                                                  Related Reports\n\x0c      Major Management Challenges and Program Risks: Department of Energy (GAO-01-246,\n      January 2001). This report, part of GAO\'s high-risk series, discusses the major management\n      challenges and program risks facing the Department. GAO found, among other things, security\n      weaknesses in public Internet access to sensitive information on the Department\'s networks and in\n      computer security at the Department\'s science laboratories.\n\n      Information Security: Serious and Widespread Weaknesses Persist at Federal Agencies (GAOI\n      AIMD-00-295, September 2000). GAO noted that a major contributing factor to the existence of\n      the Department\'s security vulnerabilities was ineffective and inconsistent information technology\n      security management throughout the Department. GAO found that, among other things, the\n      Department had not prepared federally required security plans, effectively identified and assessed\n      information security risks, or fully and consistently reported security incidents.\n\n      Information Security: Sofh~areChange Controls at the Departlnenl of Energy (GAOIAIMD-OO-\n      189R, June 2000). GAO reviewed software change controls at the Department focusing on, among\n      other things, whether key controls as described in agency policies and procedures regarding\n      software change authorization, testing, and approval complied with Federal guidance. They\n      reported that Department-wide guidance and formal procedures were inadequate and several\n      components reviewed had no formally documented process for routine software change control.\n\n     hformatiotr Security: Vulnerabilities in DOE2 Systems for Unclasszfied Civilian Research (GAOI\n     AIMD-00- 140, June 2000). Unclassified scientific research information systems were not\n     consistently protected at all Department laboratories. Althoug!~some laboratories were taking\n     significant steps to strengthen access controls, many systems remained vulnerable. A major\n     contributing factor to the continuing security shortfalls at these laboratories was that the Department\n     lacked an effective program for consistently managing information technology security throughout\n     the agency.\n\n\n\n\nPage 17                                                                                  Related Reports\n\x0c Appendix 3\n\n\n  RELATED OFFICE OF INDEPENDENT OVERSIGHT AND PERFORMANCE ASSURANCE\n            /OA) REPORTS INCORPORATED INTO OUR EVALUATION\n\n\n\n          hldependent Oversight Inspection of Cyber Security at the 1\'-12 National Security\n          Complex (November 2001)\n\n          Independent Oversight Inspection of Cyber Security at U.S. Department of Energy\n          Headquarters (January 2002)\n\n          Ir~dependentOversight Cyber Security Inspection of the Oakland Operations Office and\n          the Lawrence Livermore National Laboratory (April 2002)\n\n          Independent Oversight Inspection of Security and Cyber Security at the Kansas City Plarzt\n          (May 2002)\n\n          Independent Oversight Cyber Security Inspection of tlte Office of Anlarillo Site Operations\n          and Pantex Plant (May 2002)\n\n          Independer~tOversight Cyber Security hzspection of the R o c b ~Flats Field Office alzd the\n          Rocky Flats Environmental Technology Site (June 2002)\n\n\n\n\nPage 18                                                  Related Office of Independent Oversight and\n                                                                     Performance Assurance Reports\n\x0c Appendix 4\n\n\n                                            Department of Energy\n                                                V4ast;1ng:cri, DC 20585\n\n\n\n\n           MEMORANDLIM FOR:             RICKEY R. HASS\n                                        DIRECTOR, SCIENCE, ENERGY, TECHNOLOGY AND\n                                        FINANCIAL AUDITS UG-34)\n\n           FROM :                       KAREN S. EVANS\n                                        CHIEF\n\n                                        Cor~snlidatedColnmcnts on Draft Inspector General Rcport on\n                                        "Thc L)epartmcnt\'s Unclassified Cyber. Security Program 2002"\n\n\n          \'l\'he Oi\'ficc of the Chief Information Officer (OCIO), as the designated primary act~onoffice\n          responding to this report, has prcparcd consolidated comments to the draft Inspector General\n          Repon on "The Department\'s Unclassitiecl Cyber Security Yrob~am2002". Comrncnts have\n          been recci\\.ed from the Oflice of Security, Office of Indcpendent Oversigl~tand Perfomlance\n          Assurancu, National Nuclear Security Administration, and the Under Secretary for Energy,\n          Scicncc and Environment.\n\n          The lnspector Cicncral rcqucstcd that com~nentsbe provicird with thc draft. If\'thc reviexving\n          organl~ationswcrc in agreement ivitli the recommendations, then thcy wcrc to state the\n          corrcc~i\\eactions taken or planncd and the actual or target dates for the actions. The OClO has\n          attached the consolidated comments.\n\n          The OClO has coordinated this response with all rcsponding organizations. Please feel free to\n          corltact John Przysucha on 203-586-8836, or myself on 202-586-0166.\n\n\n\n          Attachment\n\n          CC :\n          EE\n          IN- 1\n          FE\n          CK- 1\n          0A\n          EM\n          OblUE\n          SO\n          NNSA\n\n\n\n\nPage 19                                                                              Management Comments\n\x0c Appendix 4 (continued)\n\n\n\n           Attachment\n\n                               Consolidated Comments on Draft Evaluation Report\n                           "The Department\'s Unclassified Cyber Security Progratr~2002\n\n           Con~mentson thc Recommendations\n\n           Recommendatio~l1 : The Officc of Security, in conjunction with the Chief Tnfonnation Officcr\n           and he Kational Nuclear Security Administration:\n              a) Develop and finalize detailed cyber sccurity policy and guidancc;\n              b) Implement a periodic policy review process to ensure that policy and related guidancc arc\n                  updated to reflect cllanges in technology and the results of reviews pcrfom~cdby\n                  oversight organizations; and,\n              C ) Complete implementation of a cyher security rnctrics program to measure the\n                  efYcctivcncss of policy, guidance, and protective measures.\n\n          Response: Concur wlth comment.\n          a. Thc Departmcnt has embarked on a course ol\'strengtllening cyber sccurity policy and\n          require~~lcnts  in rcsponse to thc challenges poscd by rapidly changing technology a ~ l dincreasing\n          thrcats. Government and industry have also bccn cvolving national standards to counter the\n          incrcascd risk. Although the Departmcnt has cyber sccurity policy in placc, wc arc continuing to\n          raise thc b.ar with rcspcct to what is requircd by our implementing organizations.\n\n          While w e recognizc thc nced to cnhance cyber security policy and guidance, the draft Inspector\n          Cicncral (IG) repoi? does not provide sufficient findings to support this recommendation.\n          Spccilically, rhe compelling examples providcd, which demonstrate a nccd for irnproved c y b e ~ ,\n          security at DOE sites, are largely compliance issues. In most cases presented in this rcport, there\n          is cyber sccurity policy in place that addresscs tllc specific issues. Most notcd dciicic~~cics\n                                                                                                        arc\n          due to weak or nonexistent conlpliance with rclcvant policy at somc DOE sites. While we do not\n          dispute the factual accuracy of the information providcd in the body of thc IG rcport, and also\n          agree that ncw and improved cyber security policy will strengthen protection of DOE cyber\n          asscts, we find that this rccommcndation is not clearly supported by the report\'s fixldings an&or\n          examples.\n\n          With respect to the portion 01- this recornmcndation conccn~ingthe de\\~elopmentand finalization\n          of cyber sccurity policy and guidance, SO and thc Oflice of the Chicf lnfonnation Officcr\n          (OC10) have been working to rcplace DOE N 205.1, U~~clussijied        Cyher Securitj~P~.ogram(and\n          other cyber security directives), with a new sct of directives that include a DOE order and sevcral\n          manuals and guidcs. The proposed order, 1)OE 0 476.X. Dcparrrnt.rll oj\'Ener.gy Cyber Securiql\n          hfunagcnlent Progrant, will eilhancc managerial structure and accountability throughout the\n          Departr-ncnt. The coordinated set ofn~arlualsand guidcs will articulate appropriatc minimum\n          requircmcnts and imple~llcntatjonassistance respectively. TogcO~er.(hese directives w i l l c o ~ ~ ~ p c l\n          the performance ot.rtcomes r~ccdeci\\o strcngthcn cyber security in DOE. Although developing\n          and issuing sufficient welf-balanccd policy and guidance in this area is a conlplex and non-trivial\n          task, SO and OCTO have already placed signilicant priority on updating cybcr sccurity policy\n          and guidance for the Dcpartment and are wcll along tlle way to accomplishing this objcctivc.\n\n\n\n\nPage 20                                                                                   Management Corr~rnents\n\x0c Appendix 4 (continued)\n\n\n\n           Significant enhancements that are currently in rcvicw within the Departrnent includc a Risk\n           Managclnent .Manual addressing an integrated approach to risk assessment, configuration\n           managcmcnt, and verification and validation and a Certification arid Accreditation Manual. The\n           manuals are under review by both the Cybcr Security Coordination Group and the Policy\n           Working Group prior to their fornial submittal into the directives process. Both manuals are\n           consistent with NIST guidance and arc scheduled to be issued by the end of the secorld quartcr of\n           FY 03.\n\n           b. Regarding the recomme~idationto "implemcnt a process to ensure that policy and related\n           guidancc are updated to reflcct changes in technology", S O and OCIO have two existing\n           working groups to facilitate this activity. The first is the Policy Working Group (PWG), whose\n          chaaer is to providc policy and bcst practice reconirnendations to the CIO. PWCi members are\n          drawn from throughout thc DOE, including both Fedcral and contractor personnel. The seconti\n          group is the Technical Working Group (TWG), which is charged with assessing technology\n          issues, ascertaining best sccurity practices, and evaluating the changing nature of threats facing\n          DOE and its organizations. The TWG includes reprcscntatives from DOE, its contractors, and\n          other non-governmental participants who can provide the necessary technical insight and\n          guidancc. Thc drait report does not address the existence of these two groups. Additionally,\n          through SO, DOE intends to constitutc a Cyber Security Quality Panel, which will bring together\n          a divcrse spectrurii of end users, cyber security managers, risk management decision makers, and\n          technologists to sharc needs and solutions to support DOE visions, objectives and policy drivers.\n          OCIO and SO will continue to evaluate rhc coniplcrncntary roles of the PWG, T W G and the\n          planned Cyber Security Quality Panel to ensure that they (and their participants) arc used most\n          effectivcly for the Departnienl. Furthermorc, implementation by the C10 of Action 5-2 resulting\n          from the tlamrc report on "Science and Technology in the 2 1" Century", results in the\n          establishment of a high-level cybcr advisory panel tvhich would also scnrc this function. Using\n          all of these groups effectivcly would provide tlie Department with the capability to satisfactorily\n          addrcss this rccomniendation. Thc first meeting of the cybcr advisory panel is expected by tlie\n          end of Scpternber.\n\n          With respect to fulfilling its policy developnient responsibility for DOE, SO already ensures that\n          "policy and relatcd guidance are updated to reflcct the results of rcviews performed by oversight\n          organizations". Again. there is little support for this recornmeridation in thc main text of this\n          report.\n\n          c. A new metrics prograni. using tlle Office of Mariagenicnt and Budget (OMR) GlSKA\n          reporting rcquirements as a baseline combined with mctrics specific to unique aspccts of DOE. is\n          in thc process of bcing launched via a Departmental memo from tlie CIO. The morc than 40 Ticr\n          I metrics in thirteen dif\'fcrent reportable areas. to includc classified and unclassified progranis.\n          will serve as tlie basis for the Department\'s Cyber Security Performance Measurement Program\n          which will bc launched by the end of FY 02.\n\n          Data will be forwarded, on a six month basis, to thc Officc of Cyber Security ivhich will collect,\n          consolidate, analyzc, and disseminate its findings to senior Departlncntal managcmcnt and other\n          legislati\\~e/exccutivcoversight organizations as appropriate. Collecting tlie performarice\n\n\n\n\nPage 21                                                                                  Management Corr~rnents\n\x0c Appendix 4 (continued)\n\n\n\n          ~rieasuremcntdata will allow the Office of Cybcr Security to establisl~trends, idcntify potential\n          areas of wcaluiess, and focus on inrprovenlent actions that will provide Department-wide\n          benefits, to include improving policy, oversight, and managernent control.\n\n          Recon~trlcttdation2: Thc Chieflnformation Officer dcsign and monitor the implemeiltation of\n          a structured, program-levcl cybcr sccurity assessment program based on the NIST guidance\n          documents.\n\n          Resvonse: Concur.\n          The CJO has already begun a program to improve awarcncss and utilization of the NIST I?\' Self-\n          Assessment tool ASSET. The Associate CIO for Cybcr Security released a memorandum to the\n          program offices and their subordinate elements reiterating thc inlportance of self-assessments\n          (including references to OMB and DOE requirements) and promoting the use of the NlST 800-\n          26 I?\' Sclf-Assessment Framework. The ASSET loo1 set has been provided to thc Cybcr\n          Security Coordinating Group and the Policy Working Group. By the enti of FY02, thc Associate\n          C10 for Cybcr sccur,ty will launch an cducation and awareness initiative regarding ASSET. In\n          addition, NIST is in the process of launching their perfornlancc metrics program. Thc\n          Department\'s mctrics are patterned aficr those requcsted in OMB-s GlSRA reporting guidance\n          for FY02. DOE\'S mctrics program will continue lo evolve as the NlST metrics are issued.\n\n          Recommendation 3: The Under Secretary for Energy, Science and Environment and thc Undcr\n          Secretary for National Nuclear Security, Administrator, National Nuclear Sccurity\n          Adnliriistration rcquire each line organizations to promptly correct cyber sccurity weaknesses\n          identified i l l this report of the evaluation.\n\n          Response: Concur.\n          Thc Under Secretaries of Energy. Science and Environment and National Nuclear Sccurity\n          Administration suppol? requiring cach line organization to promptly correct the cyber security\n          weaknesses identified in the report of evaluation.\n\n\n\n\nPage 22                                                                                Management Comments\n\x0c Appendix 4 (continued)\n\n\n\n          CONCURRENCES ON MANAGEhIENT DECISION PACKAGE FOR DRAFT\n          INSPECTOR GENERAL\'S REPORT ON "THE DEPARTMENT\'S UNCLASSIFIED\n          CYBER SECURITY PROGRAM 2002"\n\n\n\n\n          NNSA\n          See attached\n          \'=Y i/!d       L\n\n\n\n\n          US\n          -\n          See attached\n          9/ G:/c2.\n                             Mi\n\n\n\n\nPage 23                                                   Management Comments\n\x0c                                                                               IG Report No.: DOEIIG-0567\n\n                                     CUSTOMER RESPONSE FORM\n\n\n The Office of Inspector General has a continuing interest in improving the usefulness of its products. We\n wish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\n you consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\n enhance the effectiveness of future reports. Please include answers to the following questions if they are\n applicable to you:\n\n 1. What additional background information about the selection, scheduling, scope, or procedures of the\n    audit would have been helpful to the reader in understanding this report?\n\n 2. What additional information related to findings and recommendations could have been included in this\n    report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName                                           Date\n\nTelephone                                      Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG- 1 )\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1 924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Lntemet at the\n                                            following address:\n\n\n                  U.S. Department o f Energy, Office of Inspector General, Home Page\n                                        http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'